Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 17:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe
-
Size
120KB
-
MD5
35a6995a16fbe67481d1f4009097bc96
-
SHA1
3bed5242a1d55727237c9961b5ed4051d8574807
-
SHA256
65ad2478227e741dca264fefbf2a4f463743cc4cf705c7237526c2e3c079a3b4
-
SHA512
995ba407f4a47d291ccde90a03906e6b76cb3b16f93fb573bbb947bd908164f0f1376c117b5d410c85fff13e04f18a8d2ffa04e8c2f2b7e862b782197ace927c
-
SSDEEP
3072:DWz+jh/MvQk6MaV38shyoCB3equmwLwL:SzQ6Qk6foZufLi
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 9996 cleansweep.exe -
Loads dropped DLL 2 IoCs
pid Process 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe 9996 cleansweep.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe Token: SeDebugPrivilege 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe Token: SeDebugPrivilege 9996 cleansweep.exe Token: SeDebugPrivilege 9996 cleansweep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 1176 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 21 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 392 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 4 PID 2404 wrote to memory of 432 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 5 PID 2404 wrote to memory of 432 2404 35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe 5
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:392
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1560
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1016
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1152
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:276
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:496
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1076
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1100
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:268
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2544
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2576
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\35a6995a16fbe67481d1f4009097bc96_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\cleansweep.exe\cleansweep.exe"C:\cleansweep.exe\cleansweep.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:9996
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cebe8b9a83d6b8907b1dd52ef798f046
SHA1af396bc6fe3e8a38e24c0a0b1b3ecef05b48d6b0
SHA2569b75de651bf631272e8193ced7dde7c5b40094797a6b02fec952d32185216ba9
SHA5120787900cd6c044d69de6ddcc4308f6f887a051bb1b0aa8ec68141d4317435e1e8370d2845e51459040dcb7dabf6aea204c33cb5502312f05f81126de486407c5
-
Filesize
120KB
MD535a6995a16fbe67481d1f4009097bc96
SHA13bed5242a1d55727237c9961b5ed4051d8574807
SHA25665ad2478227e741dca264fefbf2a4f463743cc4cf705c7237526c2e3c079a3b4
SHA512995ba407f4a47d291ccde90a03906e6b76cb3b16f93fb573bbb947bd908164f0f1376c117b5d410c85fff13e04f18a8d2ffa04e8c2f2b7e862b782197ace927c